Bug#790943: Root and local certificate location clash

To: Daniel Pocock <daniel@pocock.pro>, 790943@bugs.debian.org
Cc: "control@bugs.debian.org" <control@bugs.debian.org>
Subject: Bug#790943: Root and local certificate location clash
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 04 Jul 2015 14:52:33 +0200
Message-id: <[🔎] 3032080.7t6kW0kpNa@k>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 790943@bugs.debian.org
In-reply-to: <[🔎] 55964E56.9030500@pocock.pro>
References: <[🔎] 55964E56.9030500@pocock.pro>

severity 790943 normal
thanks

On Friday 03 July 2015 10:56:54, Daniel Pocock wrote:
> I've marked this bug serious because it could lead to security
> problems if people mix root certs and other certs in the same
> directory

The certificates generated by make-ssl-cert all have "X509v3 Basic 
Constraints: CA:FALSE". Any program that accepts such certificates as 
trusted root certificate already has a serious security problem. 
Therefore I don't think the policy of make-ssl-cert to put certs into 
/etc/ssl/certs creates additional security issues. I am downgrading 
the bug accordingly.

I am not really against putting server and ca certificate into 
separate directories. But some Debian-wide default would be nice, of 
course. Maybe we can discuss that at Debconf?

Reply to:

Follow-Ups:
- Processed: Re: Bug#790943: Root and local certificate location clash
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#790943: Root and local certificate location clash
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Processed: Re: Bug#790943: Root and local certificate location clash
Next by Date: apache2 still not migrating to stretch
Previous by thread: Bug#790943: Root and local certificate location clash
Next by thread: Processed: Re: Bug#790943: Root and local certificate location clash
Index(es):
- Date
- Thread